Third council in a week sees substantial ICO fine over "serious" data breach

Cheshire East Council has become the third local authority in a week to be hit with a substantial monetary penalty for a data protection breach.

The Information Commissioner’s Office has ordered the council to pay £80,000 over a “serious breach” that occurred in May 2011.

On Monday the watchdog fined Croydon Council £100,000 and Norfolk County Council £80,000 over breaches of the Data Protection Act last year.

The Cheshire East penalty brings the total amount of monetary penalties levied on local authorities since the ICO won enhanced powers in April 2010 to more than £1m.

The Cheshire East case arose when a council employee was asked to contact the local voluntary sector co-ordinator to alert local voluntary workers to a police force’s concerns about an individual who was working in the area.

The employee – who had not received data protection training – was not told which agencies should be contacted or how instructions from the ‘potentially dangerous persons’ meeting should be acted on by the co-ordinator.

The staff member did not send an email via Cheshire East’s secure system, but instead sent it to the co-ordinator via her personal email account. This was in breach of the council’s policy that secure means must be used when sending data to external recipients.

The employee explained that the secure government email account could not be used because the co-ordinator did not have an appropriate email account. Using the local secure email system would have prevented further dissemination of the information by the co-ordinator.

The email contained the individual’s name and an alleged alias as well as information about the police’s child protection concerns. It was forwarded by the co-ordinator to 100 intended recipients.

The ICO investigation found that the email did not have any clear markings or advice on how it should be treated. The recipients interpreted the message to mean that they should forward it to other voluntary organisations as appropriate. This meant 180 unintended recipients received the email.

Following the breach, Cheshire East attempted to recall the email to prevent further dissemination. Just over half of the recipients confirmed that they had deleted the information.

In imposing the monetary penalty, the ICO considered that unauthorised and highly sensitive personal data relating to an individual had been disclosed to unintended recipients.

The contravention was serious because of the highly sensitive nature of the data. Other features were that the individual concerned had been compelled to refute the allegations in the local press.

The ICO concluded that there had been a lack of appropriate data protection training and support. The contravention was also due “to the negligent behaviour of the data controller in failing to take appropriate technical and organisational measures against the unauthorised processing of personal data”.

The watchdog did acknowledge this was the first time information of this nature had to be disclosed to the co-ordinator, and that Cheshire East had apologised to the individual affected and agreed to take substantial remedial action.

Stephen Eckersley, the ICO’s Head of Enforcement, said: “While we appreciate that it is vitally important for genuine concerns about individuals working in the voluntary sector to be circulated to relevant parties, a robust system must be put in place to ensure that information is appropriately managed and carefully disclosed. Cheshire East Council also failed to provide this particular employee with adequate data protection training. The highly sensitive nature of the information and the need to restrict its circulation should have been made clear to all recipients.

“I hope this case – along with the fact that we’ve handed out over one million pounds worth of penalties since our powers came into force – acts as a strong incentive for other councils to ensure that they have sufficient measures in place around protecting personal data.”

This week's penalties came just days after it emerged that the ICO and the Department for Communities and Local Government had jointly written to all local authority chief executives to remind them of their obligations under the Data Protection Act and the importance of good information governance.

In the letter, Christopher Graham, the Information Commissioner, and Sir Bob Kerslake, Permanent Secretary at the DCLG, said they hoped that the ICO’s powers to use monetary penalties would need to be used “only sparingly”.

The monetary penalties go to the Treasury’s Consolidated Fund, not to the ICO.